Splunk User Behavior Analytics

Detect Insider Threats and External Attacks

Modern day threats are either driven by external attackers or malicious insiders. The latter is hard to detect since traditional security products don’t focus on behavior, and sophisticated external attacks rely on new techniques and extended dormant timelines. To remedy this, next-generation security tools must analyze trillions of events over extended periods of time and employ a new detection philosophy based on behavior modeling and peer group analytics vs. a rule- or signature-driven approach.

Splunk UBA is an out-of-the-box solution built on a big data (Hadoop) platform that helps organizations find known, unknown and hidden threats. It uses a data science driven approach that produces actionable results with risk ratings and supporting evidence so SOC analysts and hunters can quickly respond to and investigate threats.

User Behavior Analytics Product Tour

Security Dashboard

Threat Review

Anomaly Review (User Centric)

Security Analytics

Security Dashboard

A high level summary visualizing threats and anomalies found within the organization along with stats on anomalous user, devices and applications.

Threat Review

Threat review screens assist with threat exploration by displaying the duration of the attack as well as anomalies observed, compromised or malicious users, affected devices, and anomalous applications stitched as part of the attack.

Anomaly Review (User Centric)

A user-centric view highlighting users or accounts along with their risk scores, anomalies and threats observed, and a histogram comparison of their susceptibility as an external or insider risk.

Security Analytics

A dashboard displaying aggregates and baselines computed across multiple entities along with breakdowns on an entity level.

Splunk User Behavior Analytics Key Features

Big Data Foundation

Built using a big data foundation (Hadoop), Splunk UBA scales to process billions of events per day and supports analyzing hundreds-of-thousands of entities within an organization.

Machine Learning

Purpose-built unsupervised machine learning algorithms provide high efficacy results in real time for effective incident response and threat hunting without the need for the algorithm to train or wait for user input.

Multi-Dimensional Behavior Baseline

Historical and real-time data assists with the creation of behavior baselines, which can identify outliers and provide visibility into organizational metrics.

Real-Time Threat Detection and Visualization

Self-learning machine learning algorithms can automatically stitch anomalies together into threats and then visualize them over a kill chain for a SOC analyst’s response.

Seamless integrations with Splunk Enterprise for data ingestion along with real-time transfer of anomalies and threats into Splunk ES helps organizations gain visual insights into their security posture and automate workflows.

Splunk UBA Use Cases

Customers use Splunk UBA for the following use-cases:

Data Exfiltration

Quickly identify evidence of data exfiltration from assets or users within an organization.

Why Splunk for User Behavior Analytics?

Splunk UBA augments your existing security team and makes them more productive by finding threats that would otherwise be missed due to lack of people resources and time. Its powerful machine-learning framework, customization ability, and breadth of use cases helps organizations with the automated detection of known, unknown, and hidden threats. Splunk UBA addresses the entire lifecycle of an attack including insider threats and external attacks and provides customers with the ability to detect, respond and contain threats using Splunk Enterprise Security.

Ask an Expert

Need help with your environment and requirements? Send us your questions and we will get back to you as soon as possible.